sFlow vs netFlow/IPFIX

Nick Hilliard nick at foobar.org
Thu Mar 3 11:53:06 UTC 2016


Peter Phaal wrote:
> I think "pathologically broken" somewhat overstates the case.
> Bidirectional sampling is allowed by the sFlow spec and other vendors
> have made that choice. Another vendor used to implement egress only
> sampling (also allowed) but unusual. I agree that ingress is the most
> common and easiest to deal with, but a decent sFlow analyzer should be
> able to handle all three cases without over / under counting.

Bidirectional sampling doesn't allow you to define an sampling perimeter
on your switch topology.  This means that if you if you have anything
other than a trivial topology, you will end up double-counting your
traffic.  The only way to work around this is to get the collector to
discard 50% of the samples or otherwise write down the amount of traffic
by 50%, assuming a standard accounting perimeter configuration.  This is
broken.

The thing is, this is ridiculously easy to fix in code.  The hooks are
already there.

Nick



More information about the NANOG mailing list